Zero-Day Attacks Thrive for Months Before Disclosure

Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions. In truth, however, there are relatively few of these attacks hitting a small number of hosts, according to new research on the subject.

Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions. In truth, however, there are relatively few of these attacks hitting a small number of hosts, according to new research on the subject.

The reason zero days eat up so much bandwidth is because of their effectiveness in compromising targets and avoiding detection. Researchers Leyla Bilge and Tudor Dumitras of Symantec Research Labs looked at period of malware activity on a host of Symantec detection platforms from 2008 to 2011 and quantified the window of exposure organizations face from attacks that are active before vulnerabilities are publicly disclosed.

The 18 attacks they discovered in that three-year timespan lasted anywhere between 19 days and 30 months, an average of 312 days, or 10 months. That means organizations targeted by zero-day malware were likely severely compromised by a variety of malware attacking undisclosed vulnerabilities on a number of platforms.

“For cyber criminals, unpatched vulnerabilities in popular software such as Microsoft Office or Adobe Flash represent a free pass to any target they might wish to attack, from Fortune 500 companies to millions of consumer PCs around the world,” Bilge and Dumitras wrote in a paper “Before We Knew It: An empirical study of zero-day attacks in the real world.”

Not surprisingly, once zero-day vulnerabilities are publicly disclosed, attacks spike up by five orders of magnitude, the researchers said, and most within 30 days of disclosure.

“Cyber criminals watch closely the disclosure of new vulnerabilities in order to start exploiting them which causes a significant risk for end users,” the paper said. 

The researchers said they found 18 zero-day vulnerabilities starting in February 2008 to the end of last year: three in 2008; seven in 2009; six in 2010; and two in 2011. Fifteen of the zero-days targeted fewer than 1,000 hosts, while the other three (Stuxnet and its variants; Conficker and its variants; and a Bloodhound Exploit) infected hundreds of thousands of machines before being detected. They also discovered that patching processes are still lacking in organizations as more than 58 percent of antivirus signatures for these zero-days remain active today, years after disclosure in some cases.

“When disclosed vulnerabilities are left unpatched, this creates an opportunity for cyber criminals to create additional exploits and to conduct attacks on a larger scale; however these attacks can usually be detected by an antivirus program with up-to-date definitions,” the paper said.

The researchers conducted their study based on data gathered by Symantec’s proprietary Worldwide Intelligence Network Environment (WINE), which is fed by hosts running Symantec security products that are opted-in to share data with the network. From this, the researchers extracted two sets of data, antivirus telemetry, which are detections of known threats for which Symantec has a signature available and deployed; and binary reputation data, a report of benign and malicious binaries downloaded on hosts. This included 32 billion reports and 300 million distinct files on 11 million hosts, the paper said.

These data sets were correlated with information from the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer, a representative list of malware observed by Symantec, and a Symantec data set with dynamic analysis results for malware samples, the paper said.

In order to identify zero-day attacks in the wild before public disclosure, Symantec’s researchers built a five-step methodology. The first step was to collect discovery, disclosure and exploit release dates for vulnerabilities given a CVE identifier and then search its Threat Explorer site for threats exploiting these vulnerabilities. This enabled them to map threats to corresponding CVE numbers. Next they mapped threats to exploits and variants by finding exploits detected by each virus signature in the binary reputation data. The third step was to query the dynamic analysis data set for files downloaded after a successful exploitation (hashes), which enabled them to map threats to malicious files. Next, they searched for each executable in the binary reputation data to estimate when it first appeared online; this would identify an attack rather than a successful infection. Finally, comparing the start date of each attack with the disclosure date of the corresponding vulnerability allowed them to determine whether a zero-day attack had been carried out. If at least one hash field was downloaded before disclosure, that indicated an attack.

“It seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to zero-day attacks,” the paper said. “In fact, 60 percent of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought, perhaps more than twice as many.”

Suggested articles